Fiddler is fun to use for many reasons, mostly because unlike WireShark or tcpdump for example you get a much nicer visual as to what you are looking at whether you are analysing some malware or just being paranoid about what a site is doing when you visit it. You will get a better understanding as to what traffic which is ingressing (Entering) and egressing (Leaving) your system are up to. Fiddler isn’t just for your browser, it will also see the traffic of system processes, web browsers and non-browsers.
You can install what is now Fiddler 4.0 easily by doing what is outlined below on your system.
Instructions for configuring mono (similar to wine) and using Fiddler can be found here.
Downloading fiddler is as simple as running wget on http://ericlawrence.com/dl/MonoFiddler-v4484.zip like so below
Create a folder for Fiddler in your user directory first
Next download and install mono from Xamarin directly as this gets around any issues from installing directly from the software repository like I did previously which although is quite easy and simple leads to issues with HTTPS connections breaking a lot and it gets quite annoying.
Paste the following snippet below into the terminal in order to install the Xamarin version of mono as seen here.
sudo apt-key adv –keyserver hkp://keyserver.ubuntu.com:80 –recv-keys 3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF
echo “deb http://download.mono-project.com/repo/debian wheezy main” | sudo tee /etc/apt/sources.list.d/mono-xamarin.list
sudo apt-get update
After apt-get update has run you are now good to install mono-complete as you would normally through apt-get
apt-get install mono-complete
This should finish without error
Now to start Mono for the first time you just need to run mono followed by the Fiddler.exe
You will then hopefully see something like this appear once it has loaded for the first time
Now for some configuration so that we can decrypt the HTTPS traffic on the system by going to tools –> Fiddler Options as outlined below
Under the HTTPS heading choose to “Decrypt HTTPS traffic” which will then present you with the following pop up window. Just click OK to continue.
Click the button below “Export Root Certificate to desktop” and click OK to continue, this will do exactly as it suggests and copy the Fiddler Root Certificate directly to the desktop for you for your convenience in the next few steps.
Next in Firefox go the preferences –> Advanced –> Certificates –> View certificates
Under the Authorities tab choose import and select and import your Fiddler root certificate from the desktop and choose to trust it for websites and click OK
Next while still in the Firefox advanced configuration page click on networking and then click settings opposite “Configure how Firefox connects to the Internet”
Modify your proxy configuration to the same as mine below and click OK
At this point you might as well restart your system to make sure all the changes that you made are persistent and will keep after a reboot which they should.
Now that you have everything persistent and working correctly you can start playing around with your network traffic. Let’s look at two different encrypted HTTPS searches and perform a search query with both Google and DuckDuckGo and see if we can find our searches 🙂
For the test all you need to do is open up your browser and perform a search for your keyword, my keywords in this case will be the opposite search engine names. I have also clicked on the Decode button which will decode traffic for us and make it even more human readable than it is normally.
As you can see below I have Firefox open and have performed a search query on DuckDuckGo.com for the keyword “google”. The traffic is encrypted though so we shouldn’t be able to see this traffic normally.
As you can see the search query is easily discovered under the Raw tab to the right with the search query at the bottom 🙂
You can also see this under the HexView
Quite cool isn’t it but surely this won’t work against Google? Or at least that’s what you’re probably led to believe anyway as they use HTTPS now like other sites and nobody could possibly intercept that and decode it could they?
Well what did you just see above? Exactly that, it didn’t say Google but it was using HTTPS in order to secure the transmission of your search query. You may or may not be surprised however to discover that everything you type into Google’s search query is actually transmitted even if you haven’t submitted the search query by clicking enter or hitting the search button!
Creepy isn’t it, all those searches you cleared before hitting search were transmitted to Google for storage for the rest of your life.
Looking at all the areas as covered above for DuckDuckGo you will see your query submitted and searched for via Googles search in the same places. I will however only cover the Raw section for this search as you already know what exists in the others as you are trying this yourself anyway I hope so as not to just believe what you are seeing. Never trust anything outright and always try something yourself before accepting something is a certain way.
You can see the Raw output below
Cool isn’t it? Fiddler is brilliant for discovering Indicators of Compromise (IOC’s) about malicious domains really quickly and easily too. Some malware is aware of Fiddler though like most other tools used for analysis so keep that in mind. It has a lot more power under the hood than what I just covered so play around with it and see for yourself.
Type in a query and see if you can see your query as you typed it in stages depending on your speed
Do you see what the significance of the above WebForm tab screen-shots is?
Have fun 🙂